Big Data might be the big thing this year, but it's just one step in the evolution of enterprise information systems. Each year they become more powerful. As do the capabilities of their users. Forget the 'least privilege' principle. It's only Data Protection law that limits what they can access.
Such a landscape can no longer be policed by
humans and procedures. Technology is needed to leverage security controls. The
Golden Triangle of people, process and technology needs to be rebalanced in
favour of automation. And I'm speaking as a pioneer and highly experienced
expert in process and human factors.
You may wonder where the Triangle originated. Contrary to popular opinion it was not invented by Bruce Schneier. I can't help you before 1990, which is when I first encountered it in Shell. At that time it was being used in operational research circles.
I first used it in 1991 to help balance the content of the Shell baseline security controls, the forerunner of BS7799
and ISO 27002. Back then we wanted to embed procedures to support ISO 9000
adoption. We also wanted to place more on user awareness. We sought in fact a
perfect balance of controls for people, process and technology.
Today I'd ditch the Triangle. It's become an argument
against excessive focus on technology. Yet that's what we now need. There's nowhere near enough exploitation of technology in our security
controls. We rely far too much on policy and people, neither of
which are reliable, especially when dealing with fast-changing, large
scale infrastructures.
What's needed to correct the balance? The
answer lies in the use of 'Big Data' analysis engines, scalable Cloud services
and artificial life intelligence. These technologies are available now but our usage of them is still in its infancy. Ten years ago I experimented with data mining and computational immunology. They worked but it was a major challenge to maintain a
positive business case. Funding dried up as the gloss wore off the digital
revolution.
It's now time to get serious with technology and develop the automated solutions needed to meet today's challenges.
Policy and education measures might get you through an audit but they won't
stop an advanced persistent threat.
Subscribe to blog feed
"There's nowhere near enough exploitation of technology in our security controls. We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures."
Isn't it amazing that we build computer systems that allow people to select passwords like "password1" and then we spend hundreds of hours trying to tell the users not to?
I would also add that Mr. Lacey, perhaps due to time and/or space constraints, limits his treatment of the solution to “ the use of ‘Big Data’ analysis engines, scalable Cloud services and artificial life intelligence,” without first recognizing a critical dependency: Technological controls need to talk to one another using a common set of languages and protocols. If we’re really going to go after a wide and deep solution, it seems that getting the fundamentals of what we want to describe in an automated manner defined in a dynamically updatable way is required first. -- https://stoicsecurity.com/2013/01/30/rebalance-the-golden-triad-of-people-process-and-technology/#more-349
The triangle is like the proverbial three-legged stool – no two or one can stand alone. The focus should be on technology to carry out the implementation of policies and procedures instead of people. But you still need all three.